libpq-12.5-1.el8
エラータID: AXSA:2021-1461:01
リリース日:
2021/02/12 Friday - 06:21
題名:
libpq-12.5-1.el8
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- PostgreSQLには、クライアントアプリケーションがセキュリティ関連のパラメーター無しに
基本的なパラメーターのみを再使用して、追加的なデータベースコネクションを作成したとき、
中間者攻撃や平文通信の観察の機会を攻撃者に与えてしまう脆弱性があります。(CVE-2020-25694)
- psqlには、インタラクティブな端末セッションが \gset を使う時、攻撃者が任意の
コードを psql を動かしているOSアカウントで動かしてしまう脆弱性があります。(CVE-2020-25696)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2020-25694
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-25696
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
追加情報:
N/A
ダウンロード:
SRPMS
- libpq-12.5-1.el8.src.rpm
MD5: 2d7c8d46f137b92f7d1f31225bb1afe2
SHA-256: c5c226eb09628d6b464ccebde0efe45eee09a2708c266d2ae939d34bcbd63ac6
Size: 19.68 MB
Asianux Server 8 for x86_64
- libpq-12.5-1.el8.x86_64.rpm
MD5: 3318c3e15f0120c798ac7bfe4af96b39
SHA-256: 7e0173d7b60307941df0b9b6ea777600af8f8b8a324709d8b6bf272f11c4ffc6
Size: 193.87 kB - libpq-devel-12.5-1.el8.x86_64.rpm
MD5: 99b454380c2643bd8af4625e95399ce0
SHA-256: 25c2c3fd1c1556cf2ae87f8002181e9fa3d330c51e310764ea13d3282b3d77e5
Size: 96.80 kB - libpq-12.5-1.el8.i686.rpm
MD5: 226808e7b4d63a4a5842c0d41d069bfa
SHA-256: 824e25d5464a9bca303ca5aa5f76beb0ae705791748b682609ca19bfa7b0ede9
Size: 204.10 kB - libpq-devel-12.5-1.el8.i686.rpm
MD5: 3b4ef790f36d96b66124712e6b632af5
SHA-256: 0424513d22eee18aade67899797acad448dd0a600bf9a5009a9813bf42b7d0b5
Size: 98.80 kB
English